Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Untangler
    Join Date
    Aug 2018
    Posts
    34

    Default Any advice on implementation of Untangle/u25 device in home network?

    Hi All,

    I am new to this forum and I am considering to deploy an Untangle u25 device in my home network.
    Since I do have a bit of knowledge/experience with networking/security but am certainly not an expert I thought it would be a good idea to seek some advice here before I buy.

    What is my situation?
    I currently have quite a lot of devices (30+) on my home-network on which I have relatively little control (IoT devices, Ip cams, guest devices, iPads, adolescent kids with game consoles and iPhones etc.).
    Being a bit of tech nerd this annoys me 😊
    I want to be able to get more insight in network usage of my devices (for example undesired external connections/'phoning home'), improve parental control (for example set time and context restrictions per device) and in general gain more insight in network load and behavior.
    Searching the internet for solutions I also came across Untangle. Here in Europe a relatively unknown solution but it seems to fit my requirements.
    I currently struggle to get clear how I should best fit the Untangle U25 device in my specific situation.

    How does my network look like?
    See the simplified schema below:

    Network layout simple.JPG

    Some relevant points:
    • I have a 200 Mbps down/20 Mbps up subscription.
    • The home network I currently 'manage' is not designed from a greenfield situation but rather evolved during the last decades. For sure some things are not optimal.
    • Because the ISP provided modem/routers generally suck but cannot be replaced, I created a router-after-a-router situation from the start, accepting double NAT. No issues so far and solid throughput.
    • Because some of the IP cams I later bought are located on the outside of my home and connected via wire I wanted them to be separated from the rest of my home network to avoid network intrusion by simply hooking a laptop on to the UTP cable from the camera.
      I reached this by connecting all IP cams directly to the modem/router on an available network port, separating them from my home-network via the NAT/Firewall of my second router (creating LAN A for IP-cams and separated LAN B for the other devices within my network)
    • My (Synology) NAS needs to be able to connect to all the IP cams since I run Surveillance station on it (storing recordings/playback etc. ). In the current setup this works fine.


    What am I looking for?
    • A solution that monitors ALL network traffic (so also my IP cams)
    • A solution that allows enforcement of policies and rules for network traffic for ALL devices (also IP cams)
    • IP cams needs to remain strictly separated from the rest of my home network (due to UTP cables running on the outside of my home)
    • NAS needs to be within home network since it also serves other purposes than surveillance station but also needs to be able to connect to IP cams
    • Minimal risk of network breakdown and easy fallback (I prefer step by step implementation over big bang)


    I think that functionally Untangle should be able to do what I want.
    But given my situation and needs: how should I best fit the Untangle U25 device in my specific network situation?

    Most simples would be to add u25 as a bridge between router/modem#1 and router#2 (Draytek Vigor). Or even replace router#2 with the u25 as a router, but then I cannot monitor and control the IP cams.
    Adding the IP-cams to the same LAN gives security issues. Maybe a separate VLAN for the camera's? (something I do not have any experience with)
    And does this really provide 100% isolation from my other devices?
    Or is there another (better) solution?

    Thanks for your thoughts and advice!

    And sorry for the large post, but I thought better to much info then too little..

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,535

    Default

    You should not have any issues with a u25. Just but the u25 right after the IP router. Use one of the NICs on the u25 for the camera network to separate it from the other internal traffic.

    3 NICs on the u25

    1 - to ISP modem/router
    2 - to the cameras
    3 - to the internal network.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler Kyawa's Avatar
    Join Date
    Dec 2016
    Location
    Maryland
    Posts
    446

    Default

    My u25 only has 2 NICs.

  4. #4
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,325

    Default

    I believe Untangle not sell appliances outside USA, right?
    Build your box with 3 nicīs and buy home license.
    f1assistance likes this.
    The world is divided into 10 kinds of people, who know binary and those not

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,535
    Last edited by jcoffin; 08-15-2018 at 05:53 AM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangler
    Join Date
    Aug 2018
    Posts
    34

    Default

    Thanks all for the quick feedback.

    Re-using/altering the picture from the Untangle network wiki I think the setup would end up like this:
    Network simple 2.JPG
    Remaining question I have:
    • How would I provide the NAS in section A (one way!) access to the IP cams in section B in this setup? (which I really need to store and view the IP cam recordings)
    • Is it possible to have separate DHCP servers/IP ranges within section A and B (Creating the IP ranges in the diagram above)
    • How 'hard' is the separation between A and B? Currently I use a 'foolproof' NAT/ firewall to do this. Is the solution above just as safe/simple?
    • Would it be wise to set the modem/router #1 in bridge mode to avoid double NAT in this setup? ( my guess is yes)

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,535

    Default

    I would use the default settings, NAT on the WAN, and not on internal networks. Use Filter rules /admin/index.do#config/network/filter-rules to block traffic to the separate networks.

    Rule 1:
    Destination Interface = <Camera Interface Name>
    Source Interface = Internal
    Action: block

    Rule 2:
    Source Interface = <Camera Interface Name>
    Destination Interface = Internal
    Action: block
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,535

    Default

    Quote Originally Posted by homenetwork View Post
    Remaining question I have:
    [*]How would I provide the NAS in section A (one way!) access to the IP cams in section B in this setup? (which I really need to store and view the IP cam recordings)
    Make a rule in the list before rules I posted above, which allows traffic from the cameras to the NAS IP.

    Quote Originally Posted by homenetwork View Post
    [*]Is it possible to have separate DHCP servers/IP ranges within section A and B (Creating the IP ranges in the diagram above)
    Each Interface has it's own DHCP server settings in the GUI.

    Quote Originally Posted by homenetwork View Post
    [*]How 'hard' is the separation between A and B? Currently I use a 'foolproof' NAT/ firewall to do this. Is the solution above just as safe/simple?
    The rules I posted above are IP tables blocks so as secure as the basis for most firewalls.
    https://en.wikipedia.org/wiki/Iptables

    Quote Originally Posted by homenetwork View Post
    [*]Would it be wise to set the modem/router #1 in bridge mode to avoid double NAT in this setup? ( my guess is yes)
    I would recommend the ISP mode in bridge mode.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Untangler
    Join Date
    Aug 2018
    Posts
    34

    Default

    Quote Originally Posted by jcoffin View Post
    I would use the default settings, NAT on the WAN, and not on internal networks. Use Filter rules /admin/index.do#config/network/filter-rules to block traffic to the separate networks.
    Just to understand: Why would you use this?
    For 'fool proofness' I tend to prefer 'Block all, unless..' over 'Allow all, unless..'
    As said I am not an expert I am slightly worried that by making mistakes I accidently open up my network from the IP cam side (section B)

    Or would this be the only way to achieve what I try to do?

  10. #10
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    This explains all that:
    https://wiki.untangle.com/index.php/...figuration#NAT

    The benefit of using filter rules is that you can configure who can talk to who explicitly, whereas if you NAT there will be no communication at all.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2